Addison Wesley Understanding Windows CardSpace Jan 2008

Praise for Understanding Windows CardSpace

“Windows CardSpace, and identity selectors like it for non-Windows platforms, will

quickly bring information cards to the forefront as the authentication mechanism of

choice for end-users—at last significantly reducing the pain and risks involved in

username and password authentication. Vittorio, Garrett, and Caleb are three really

super smart guys who know CardSpace and the underlying technologies and stan￾dards intimately. In this book, they provide the perfect amount of detail on the very

real risks of today’s application security models, followed by an overview of relevant

cryptography and WS* protocols, and then they dig right in to common scenarios for

deploying CardSpace while also explaining important underlying parts of the

CardSpace technology to help you understand what’s going on under the hood. If you

aren’t sure if CardSpace is right for your applications, you should read this book and

find out why. If you are planning to implement a CardSpace solution, you should

absolutely read every page of this book to gain insight into otherwise not well-docu￾mented information about the technology.”

—Michele Leroux Bustamante,

Chief Architect, IDesign and Microsoft Regional Director

“Identity management is a challenging and complex subject, involving traces of cryp￾tography and network security along with a human element. Windows CardSpace

and this book both attempt—successfully—to unravel those complexities. Touching

on all the major points of CardSpace and identity management in general, this book

comprehensively explains the ‘what’ and the ‘how’ of this new Microsoft technology.”

—Greg Shields,

Resident Editor, Realtime Windows Server Community,

Contributing Editor, Redmond Magazine and MCP Magazine

“Learn about CardSpace from the people who built and influenced it!”

—Dominick Baier,

Security Consultant, thinktecture

“Chock full of useful, actionable information covering the ‘whys,’ ‘whats,’ and ‘hows’

of employing safer, easier-to-use, privacy-preserving digital identities. Insightful per￾spectives on topics, from cryptography and protocols to user interfaces and online

threats to businesses drivers, make this an essential resource!”

—Michael B. Jones,

Director of Identity Partnerships, Microsoft

“It’s one of the most serious problems facing anybody using the Internet. Simply put,

today’s digital world expects secure and user-centric applications to protect personal

information. The shift is clear in the demand to make the user the center of their digi￾tal universe. The question is, how do you build these kinds of applications? What are

the key components? Unfortunately, identity is often one of the most overlooked and

least understood aspects of any application design. Starting with the basics and build￾ing from there, this book helps answer these questions using comprehensive, practical

explanations and examples that address these very problems. It’s a must-read for ap￾plication developers building any type of Internet-based application.”

—Thom Robbins,

Director .NET Framework Platform Marketing, Microsoft, Author

Understanding Windows CardSpace

Independent Technology Guides

David Chappell, Series Editor

The Independent Technology Guides offer serious technical descriptions of important

new software technologies of interest to enterprise developers and technical managers.

These books focus on how that technology works and what it can be used for, taking an

independent perspective rather than reflecting the position of any particular vendor. These

are ideal first books for developers with a wide range of backgrounds, the perfect place to

begin mastering a new area and laying a solid foundation for further study. They also go

into enough depth to enable technical managers to make good decisions without delving

too deeply into implementation details.

The books in this series cover a broad range of topics, from networking protocols to

development platforms, and are written by experts in the field. They have a fresh design

created to make learning a new technology easier. All titles in the series are guided by

the principle that, in order to use a technology well, you must first understand how and

why that technology works.

Titles in the Series

Brian Arkills, LDAP Directories Explained: An Introduction and Analysis,

0-201-78792-X

David Chappell, Understanding .NET, Second Edition, 0-321-19404-7

Eric Newcomer, Greg Lomow, Understanding SOA with Web Services,

0-321-18086-0

Eric Newcomer, Understanding Web Services: XML, WSDL, SOAP, and UDDI,

0-201-75081-3

For more information check out informit.com/aw

Understanding

Windows CardSpace

An Introduction to the Concepts

and Challenges of Digital Identities

Vittorio Bertocci

Garrett Serack

Caleb Baker

Upper Saddle River, NJ
Boston
Indianapolis
San Francisco

New York
Toronto
Montreal
London
Munich
Paris
Madrid

Cape Town
Sydney
Tokyo
Singapore
Mexico City

Many of the designations used by manufacturers and sellers to distinguish their prod￾ucts are claimed as trademarks. Where those designations appear in this book, and the

publisher was aware of a trademark claim, the designations have been printed with

initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make

no expressed or implied warranty of any kind and assume no responsibility for errors

or omissions. No liability is assumed for incidental or consequential damages in con￾nection with or arising out of the use of the information or programs contained herein.

The publisher offers excellent discounts on this book when ordered in quantity for

bulk purchases or special sales, which may include electronic versions and/or custom

covers and content particular to your business, training goals, marketing focus, and

branding interests. For more information, please contact:

U.S. Corporate and Government Sales

(800) 382-3419

[email protected]

For sales outside the United States please contact:

International Sales

[email protected]

Visit us on the web: www.informit.com/aw

Library of Congress Cataloging-in-Publication Data

Bertocci, Vittorio.

Understanding Windows CardSpace : an introduction to the concepts and challenges

of digital identities / Vittorio Bertocci, Garrett Serack, Caleb Baker.

p. cm.

Includes index.

ISBN 0-321-49684-1 (pbk. : alk. paper) 1. Windows CardSpace. 2. Computer

security. 3. Computer networks—Access control. 4. Identity theft—Prevention. 5.

Web services. I. Serack, Garrett. II. Baker, Caleb, 1974- III. Title.

QA76.9.A25B484 2008

005.8—dc22

2007044217

Copyright © 2008 Pearson Education, Inc.

All rights reserved. Printed in the United States of America. This publication is pro￾tected by copyright, and permission must be obtained from the publisher prior to any

prohibited reproduction, storage in a retrieval system, or transmission in any form or

by any means, electronic, mechanical, photocopying, recording, or likewise. For

information regarding permissions, write to:

Pearson Education, Inc

Rights and Contracts Department

501 Boylston Street, Suite 900

Boston, MA 02116

Fax (617) 671 3447

ISBN-13: 978-0-321-49684-3

ISBN-10: 0-321-49684-1

Text printed in the United States on recycled paper at R.R. Donnelley in

Crawfordsville, Indiana

First printing December 2007

Editor-in-Chief

Karen Gettman

Acquisitions Editor

Joan Murray

Senior Development Editor

Chris Zahn

Managing Editor

Gina Kanouse

Project Editor

Betsy Harris

Copy Editor

Keith Cline

Indexer

Erika Millen

Proofreader

Language Logistics, LLC

Technical Reviewers

Dominick Baier

Eric Ray

Greg Shields

Publishing Coordinator

Kim Boedigheimer

Cover Designer

Sandra Schroeder

Compositor

Bronkella Publishing

To our families

This page intentionally left blank

Contents

Foreword xv

Preface xviii

Part I SETTING THE CONTEXT

1 THE PROBLEM 3

The Advent of Profitable Digital Crime 4

The Dawn of Cracking 5

The Vandalism and Bravado Era: Viruses and Worms 7

The Rush to Web 2.0 and Asset Virtualization 10

Malware and Identity Theft 16

A Business on the Rise 27

Passwords: Ascent and Decline 29

Ascent 29

Decline 33

The Babel of Cryptography 36

Cryptography: A Minimal Introduction 38

HTTP and HTTPS: The King Is Naked 46

ix

x Contents

HTTPS, Authentication, and Digital Identity 52

The Babel 57

The Babel of Web User Interfaces 79

Summary 84

2 HINTS TOWARD A SOLUTION 87

A World Without a Center 89

The Seven Laws of Identity 92

User Control and Consent 94

Minimal Disclosure for a Constrained Use 96

Justifiable Parties 98

Directed Identity 101

Pluralism of Operators and Technologies 104

Human Integration 105

Consistent Experience Across Contexts 107

The Identity Metasystem 110

Some Definitions 112

Trust 115

Roles in the Identity Metasystem 116

Components of the Identity Metasystem 122

The Dance of Identity 130

WS-* Web Services Specifications: The Reification

of the Identity Metasystem 136

The WS-* Specifications 138

WS-* Implementation of the Identity Metasystem 156

Presenting Windows CardSpace 161

Summary 164

Contents xi

Part II THE TECHNOLOGY

3 WINDOWS CARDSPACE 169

CardSpace Walkthroughs 169

From the User’s Perspective 170

From the Web Developer’s Perspective 173

Is CardSpace Just for Websites? 175

System Requirements 176

What CardSpace Provides 177

Consistent User Experience 177

Brokering Trusted Interactions 181

A Deeper Look at Information Cards 184

Card Types 187

Personal Information Cards 188

Managed Information Cards 196

Features of the CardSpace UI 204

Private Desktop 204

Disabling CardSpace 206

Relying Party Identification Page 207

Managed Card Import Page 208

Common CardSpace Management Tasks 210

Management Mode 211

Creating and Editing a Personal Card 212

Moving Cards Between Computers 214

User Experience Changes in .NET Framework 3.5 218

Simplified Use of Personal Cards 219

Simplify Import of Managed Cards 220

Better Communication to the User 220

Summary 221

xii Contents

4 CARDSPACE IMPLEMENTATION 223

Using CardSpace in the Browser 224

Understanding the Information Card Browser

Extension 224

How Are the Extension Properties Used? 228

Scripting CardSpace 232

Processing the Token 238

Accepting Personal Cards at a Website 243

Accepting Managed Cards at a Website 244

Auditing and Nonauditing IPs 246

Federation with CardSpace 248

CardSpace and Windows Communication

Foundation 252

Windows Communication Foundation 252

Adding CardSpace to WCF 255

Calling CardSpace from WCF 256

Decrypting the Token 258

Verifying the Token 260

Processing Claims 260

Additional Policy Options 261

CardSpace Without Web Services 262

Manage CardSpace 264

Import a CardSpace File 264

Get a Token from CardSpace 264

Get a Browser Token from CardSpace 267

Summary 268

5 GUIDANCE FOR A RELYING PARTY 269

Deciding to Be a Relying Party 270

Putting CardSpace to Work 274

Preparation 275

Database Changes 276

Examining the Authentication Experience 277

Contents xiii

Developing the New Authentication Experience 278

Signing In 285

Handling the Unknown Card 286

Associating an Information Card with an Account 288

Creating a New Account 288

Recovering an Account 291

Prompting the User to Use Information Cards 294

Account Maintenance 297

Privacy and Liability 299

Summary 302

Part III PRACTICAL CONSIDERATIONS

6 IDENTITY CONSUMERS 305

Common Misconceptions about Becoming an

Identity Provider 306

Criteria for Selecting an Identity Provider 309

Managed Cards Profiles 309

Identity Provider Qualifications 312

Relying on an IP 315

Benefits of Using an IP 316

Reaching an Agreement with the Identity Provider 318

Migration Issues 320

Summary 321

7 IDENTITY PROVIDERS 323

Uncovering the Rationale for Becoming an

Identity Provider 324

Managing Identities for Your Organization 325

Managing Identities Used by Other Organizations 327

Providing Claims-Based Services 331

xiv Contents

Internet Commerce 333

Providing Strong Authentication to Relying Parties 333

What Does an Identity Provider Have to Offer? 334

Understanding Your Data 335

Identity Provider Reputation 336

Walking a Mile in the User’s Shoes 338

Roaming with Information Cards 340

An Organization’s Identity 341

Summary 342

Index 343